From abd62ae74e6b3d7c785717643bb254ecfef0fdac Mon Sep 17 00:00:00 2001 From: Nikita Pivkin Date: Tue, 26 Mar 2024 06:31:28 +0300 Subject: [PATCH] =?UTF-8?q?fix(terraform):=20=D1=81hecking=20SSE=20encrypt?= =?UTF-8?q?ion=20algorithm=20validity=20(#6341)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../adapters/terraform/aws/s3/adapt_test.go | 29 ++++++++++++++++++- pkg/iac/adapters/terraform/aws/s3/bucket.go | 10 +++++-- 2 files changed, 36 insertions(+), 3 deletions(-) diff --git a/pkg/iac/adapters/terraform/aws/s3/adapt_test.go b/pkg/iac/adapters/terraform/aws/s3/adapt_test.go index 1d347d3520fe..65394abd3ea7 100644 --- a/pkg/iac/adapters/terraform/aws/s3/adapt_test.go +++ b/pkg/iac/adapters/terraform/aws/s3/adapt_test.go @@ -36,7 +36,7 @@ resource "aws_s3_bucket_public_access_block" "example_access_block"{ hasPublicAccess: true, }, { - desc: "public access block is found when using the bucket name as the lookup", + desc: "public access block is found when using the bucket id as the lookup", source: ` resource "aws_s3_bucket" "example" { bucket = "bucketname" @@ -254,6 +254,33 @@ func Test_Adapt(t *testing.T) { }, }, }, + { + name: "non-valid SSE algorithm", + terraform: ` +resource "aws_s3_bucket" "this" { + bucket = "test" +} + +resource "aws_s3_bucket_server_side_encryption_configuration" "this" { + bucket = aws_s3_bucket.this.id + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "" + } + } +}`, + expected: s3.S3{ + Buckets: []s3.Bucket{ + { + Name: iacTypes.String("test", iacTypes.NewTestMetadata()), + Encryption: s3.Encryption{ + Enabled: iacTypes.Bool(false, iacTypes.NewTestMetadata()), + }, + ACL: iacTypes.String("private", iacTypes.NewTestMetadata()), + }, + }, + }, + }, } for _, test := range tests { diff --git a/pkg/iac/adapters/terraform/aws/s3/bucket.go b/pkg/iac/adapters/terraform/aws/s3/bucket.go index ae5b2ddb2f4d..5ecf7e9ba21b 100644 --- a/pkg/iac/adapters/terraform/aws/s3/bucket.go +++ b/pkg/iac/adapters/terraform/aws/s3/bucket.go @@ -1,6 +1,10 @@ package s3 import ( + "slices" + + s3types "github.com/aws/aws-sdk-go-v2/service/s3/types" + "github.com/aquasecurity/trivy/pkg/iac/providers/aws/s3" "github.com/aquasecurity/trivy/pkg/iac/terraform" iacTypes "github.com/aquasecurity/trivy/pkg/iac/types" @@ -194,11 +198,13 @@ func isEncrypted(sseConfgihuration *terraform.Block) iacTypes.BoolValue { sseConfgihuration, "rule.apply_server_side_encryption_by_default.sse_algorithm", func(attr *terraform.Attribute, parent *terraform.Block) iacTypes.BoolValue { - if attr.IsNil() { + if attr.IsNil() || !attr.IsString() { return iacTypes.BoolDefault(false, parent.GetMetadata()) } + algoVal := attr.Value().AsString() + isValidAlgo := slices.Contains(s3types.ServerSideEncryption("").Values(), s3types.ServerSideEncryption(algoVal)) return iacTypes.Bool( - true, + isValidAlgo, attr.GetMetadata(), ) },